Saturday, July 11, 2026

News

GhostApproval Flaw Lets AI Coding Agents Write Files Outside the Sandbox

CodingPatryk Raba
Fot. Tima Miroshnichenko, Pexels (Pexels License)

Researchers at Wiz have disclosed GhostApproval, a vulnerability affecting six popular AI coding assistants, including Claude Code, Cursor, and Amazon Q, that lets attackers gain remote access to a developer's machine through ordinary symbolic links.

Contents
  1. How the Approval Prompt Deception Works
  2. Vendors Split on Response
  3. What It Means for Developers

Research firm Wiz has disclosed a vulnerability called GhostApproval that affects six of the most popular AI-based coding assistants. The flaw exploits a decades-old Unix feature, symbolic links, combined with the way AI tools present file-change approval prompts to users.

The attack mechanism relies on a malicious repository containing a file that is actually a symbolic link, a pointer to an entirely different location on disk. Wiz researchers demonstrated the attack by creating a file with the innocuous name project_settings.json that in reality pointed to ~/.ssh/authorized_keys, the file responsible for authorizing SSH access.

How the Approval Prompt Deception Works

The most troubling part of the discovery is that the AI agent's internal reasoning correctly identifies the target file as sensitive, but the dialog box shown to the user hides that information. The developer sees a request to edit a seemingly harmless local configuration file, while in reality approving a modification to a system file, such as ~/.zshrc or the list of authorized SSH keys. Wiz classified the issue as a combination of CWE-61, covering symbolic links, and CWE-451, covering misleading user interfaces.

In a practical attack scenario, the README file of a malicious repository instructs the agent to update a supposed settings file with an SSH public key. Because the file is actually a symlink to the authorized keys list, the operation grants the attacker persistent SSH access to the victim's machine, and the user never learns what they actually approved.

Vendors Split on Response

Responses from the companies covered in the report vary significantly. Amazon, Google, and Cursor treated the report as a genuine vulnerability and rolled out fixes between May and June 2026, with Cursor formally registering the bug as CVE-2026-50549. Augment and Windsurf confirmed receiving the report but have not yet issued patches.

Anthropic took a different stance, arguing that Claude Code's behavior does not constitute a security vulnerability. The company emphasizes that a user who confirms trust in a working directory at the start of a session takes on responsibility for the consequences of the agent's approved actions.

This falls outside our current threat model. When the user first starts Claude Code in a directory, they must confirm that they trust the directory prior to starting the session - Anthropic, in response to Wiz's report

Despite formally rejecting the vulnerability classification, Anthropic introduced symbolic-link warnings in Claude Code version 2.1.32 in February 2026, nine days before receiving Wiz's report, describing them as a proactive security hardening measure rather than a reaction to a specific disclosure.

What It Means for Developers

The GhostApproval discovery is a reminder that AI tools built on old operating-system foundations also inherit their old weaknesses. For development teams in Poland using Cursor, Claude Code, or Amazon Q, the practical recommendation is simple: update tools to the latest versions, limit opening AI agents on untrusted repositories, and don't treat the approval prompt as a complete description of what the agent is actually doing.

The case also highlights a broader industry problem, the lack of unified security standards for coding agents that are gaining ever-wider permissions to modify a developer's file system. The differing approaches taken by vendors, from rapid patches to outright rejection of the report, show that the definition of what constitutes a security vulnerability in the age of autonomous AI agents remains unsettled.

Sources: Wiz (wiz.io), The Hacker News (thehackernews.com), SecurityWeek (securityweek.com)

Share: